Can not install certificate into xmpp

sayed · January 28, 2019, 11:28am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: myscrap.com

My web server is (include version): Apache

The operating system my web server runs on is (include version): Centos

My hosting provider, if applicable, is:Hostgator

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I just purchased dedicated server from hostgator and got free ssl of letsencrypt, I tried to install xmpp - openfire into my server and while adding ssl in openfire its giving me error saying that “There was an error while trying to import the private key and signed certificate. Internal server error: The supplied certificate chain does not cover the domain of this XMPP service.”

Currently without SSL i can not connect to openfire and while trying to connect I am getting error saying “net::ERR_CERT_AUTHORITY_INVALID”

I tried every possible solution but can not get this error out.

Kindly help, any kind of help is much more appreciated

JuergenAuer · January 28, 2019, 2:25pm

Hi @sayed

I don't use XMPP, but the error says, that the domain name of the certificate is wrong.

Checking your domain there is a cPanel-certificate ( https://check-your-website.server-daten.de/?q=myscrap.com ):

CN=myscrap.com
	14.01.2019
	14.04.2019
	autodiscover.myscrap.com, cpanel.myscrap.com, 
mail.myscrap.com, myscrap.com, webdisk.myscrap.com, 
webmail.myscrap.com, www.myscrap.com - 7 entries

So your website works and you shouldn't install another certificate.

Isn't it possible to create an exception? Your website doesn't use HSTS.

rg305 · January 29, 2019, 12:42am

What is the domain (name) of "this XMPP service"?

sayed · January 29, 2019, 4:54am

the domain name for the xmpp service is myscrap.com

rg305 · January 29, 2019, 5:00am

If you can, please provide more detail on the connection and the error/message.

sayed · January 29, 2019, 6:14am

Thanks for Quick response its Highly appreciated.

Let me try to elaborate the scenario here.

I have recently purchased the Hostgator Dedicated server with which i got letsencrypt ssl for free now my site is working on https so if I tried to connect xmpp with http it will not work so in xmpp we have option to upload ssl. when I upload ssl there the CRT and Key files gets uploaded successfully but but its not working on front end giving error of “net::ERR_CERT_AUTHORITY_INVALID" and when I tried to upload CABUNDLE and key its giving me the following error “There was an error while trying to import the private key and signed certificate. Internal server error: The supplied certificate chain does not cover the domain of this XMPP service.”

please check below link for more details :
Xmpp Error Page : http://prntscr.com/mdkxro
My Browser error page with CRT and key uploaded as a certificate : http://prntscr.com/mdkxfw

The problem is with this URL : https://myscrap.com:7443/http-bind/
when I checked it with ssl certificate checker I am getting this : http://prntscr.com/mdkym3

Please check whether this Information is enough or not.

Any kind of help is highly Appreciated.

Thanks in advance

rg305 · January 29, 2019, 6:28am

What are the file names you used (with full path) for that?

This seems like you used the cert.pem file which doesn't have the intermediate cert(s).
Try using fullchain.pem instead.

sayed · January 29, 2019, 7:36am

Thanks again for your reply

“when I upload ssl there the CRT and Key files gets uploaded successfully”

I am getting CRT from my whm panel.

For fullchain.pem can you please help me where I can find it?

Thanks in advance.

rg305 · January 29, 2019, 7:40am

Usually in folder:
/etc/letsencrypt/live/{cert.name}/

ls -lR /etc/letsencrypt/live/ | grep fullchain
or if not there:
find / -name fullchain.pem

sayed · January 30, 2019, 5:22am

Hi rg305,

Thanks again for this quick reply.
I have uploaded the full chain certificate and the error is gone but still I am facing the same issue of auth validation on my browser the error says : net::ERR_CERT_AUTHORITY_INVALID

Please check the screenshot for more details.

thanks in advance. after your help i reached this point.

rg305 · January 30, 2019, 5:37am

What runs on port 7443?
netstat -pant
or
netstat -tplen

sayed · January 30, 2019, 6:07am

I guess there is problem with listing on 7443
check below listing port on 7443

rg305 · January 30, 2019, 11:58pm

Java (from Screenshot)

So you run Apache; And Certbot can use that to get a cert.
The cert does contain the name you use in XMPP.
But XMPP uses Java (not Apache) configuration.

I don't know how to configure this Java implementation of XMPP.
But the "fix" lies in it there. Most likely in it using the fullchain.pem file instead of cert.pem file.
Or maybe the client doesn't have LE root in its' trusted store.

These assumptions can be tested with OpenSSL or even easier with any web browser.

As shown from any web browser when you connect to https://myscrap.com:7443/http-bind/
You will see the error and the certificate in use:

It is NOT using the cert obtained by Apache/Certbot.
It is using a self-signed cert
So my assumptions were wrong but now you know where the problem is.

system · March 1, 2019, 11:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.